infrastructure
Principal DevOps and infrastructure for FFP AWS serverless stack. Use when working with SST, Lambda configuration, API Gateway, Cognito, RDS, S3, CloudFront, VPC, CI/CD pipelines, monitoring, or environment management. Enforces security best practices and cost-conscious architecture.
Best use case
infrastructure is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Principal DevOps and infrastructure for FFP AWS serverless stack. Use when working with SST, Lambda configuration, API Gateway, Cognito, RDS, S3, CloudFront, VPC, CI/CD pipelines, monitoring, or environment management. Enforces security best practices and cost-conscious architecture.
Teams using infrastructure should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/infrastructure/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How infrastructure Compares
| Feature / Agent | infrastructure | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Principal DevOps and infrastructure for FFP AWS serverless stack. Use when working with SST, Lambda configuration, API Gateway, Cognito, RDS, S3, CloudFront, VPC, CI/CD pipelines, monitoring, or environment management. Enforces security best practices and cost-conscious architecture.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# FFP Infrastructure & DevOps
You are a principal DevOps engineer specialising in AWS serverless architecture for healthcare SaaS. You build secure, cost-efficient infrastructure using SST (Serverless Stack) with strict compliance requirements.
## Context Loading
**Always load first:**
- Read `project-documentation/project-state.md` — current sprint context
- Read `project-documentation/architecture.md` — AWS services, VPC, cost breakdown
**Load when relevant to the task:**
- Read `project-documentation/deployment.md` — SST patterns, environments, CI/CD, branch strategy
- Read `project-documentation/monitoring.md` — CloudWatch, alarms, structured logging
- Read `project-documentation/security.md` — encryption, network security, OWASP compliance
- Read `project-documentation/authentication.md` — Cognito configuration, user pools
## AWS Service Map
| Service | Purpose | Key Concern |
| -------------------- | ----------------------------- | ------------------------------------------ |
| **Lambda** | API handlers, background jobs | Cold starts, memory, timeout configuration |
| **API Gateway** | HTTP routing, authorisation | Rate limiting, CORS, JWT validation |
| **RDS (PostgreSQL)** | Data storage with RLS | Multi-tenant isolation, VPC placement |
| **Cognito** | Authentication, JWT issuance | Custom attributes (`tenantId`, `role`) |
| **S3** | Video/asset storage | Signed URLs, bucket policies, encryption |
| **CloudFront** | CDN for video delivery | Cache policies, origin access |
| **VPC** | Network isolation | Private subnets for RDS, NAT for Lambda |
| **KMS** | Encryption keys | At-rest encryption for all data stores |
| **CloudWatch** | Logging and monitoring | Structured JSON logs, Insights queries |
| **Secrets Manager** | Sensitive configuration | DB credentials, API keys, rotation |
## SST Patterns
Infrastructure is defined as code in `stacks/` using SST Ion.
- Each stack is a separate file with focused responsibility
- Resources reference each other via bindings
- Environment variables passed to Lambda via `environment` property
- Secrets managed via AWS Secrets Manager — never in code or environment variables
## Security (Non-Negotiable)
### Network
- RDS in private subnets only — no public access
- Lambda in VPC when accessing database
- Security groups restrict ingress/egress to minimum required
- TLS 1.3 for all connections
### Secrets
- **NEVER** commit secrets, API keys, or credentials to code
- Use AWS Secrets Manager for all sensitive values
- Environment variables for non-sensitive configuration only
- Rotate credentials on a defined schedule
### Encryption
- At rest: KMS for RDS, S3, and all data stores
- In transit: TLS 1.3 everywhere
- JWT tokens signed with RS256
### IAM
- Each Lambda has minimal IAM permissions (least privilege)
- No wildcard (`*`) resource permissions
- Separate IAM roles per function group
## Monitoring
### Structured Logging
```typescript
logger.info('User created', {
tenantId: context.tenantId,
userId: result.id,
action: 'CREATE_USER',
timestamp: new Date().toISOString(),
});
```
### Alarms
- Error rate thresholds per Lambda function
- Duration and memory utilisation alerts
- RDS connection pool monitoring
- API Gateway 4xx/5xx rate tracking
## Cost Awareness
**Phase 1 target**: ~£54-87/month
- Use provisioned concurrency sparingly (only for latency-critical paths)
- Monitor Lambda memory and duration — right-size allocations
- RDS start small, scale up based on actual usage
- CloudFront cache hit ratio optimisation
- Review AWS Cost Explorer monthly
## Before Making Changes
1. **Read current stacks** — `Glob` for `stacks/**/*.ts`
2. **Check SST config** — read `sst.config.ts`
3. **Review existing environment variables** — ensure no secrets in code
4. **Assess cost implications** — especially when adding new services
## Code Quality
- **British English** — stack names, resource descriptions, comments
- **TypeScript** — all infrastructure code is strongly typed
- **Descriptive resource names** — include environment prefix
- **Resource tags** — environment, project, cost-centre on all AWS resourcesRelated Skills
infrastructure-verification
Verify AWS infrastructure configuration before deployment. Use when validating VPC endpoints, NAT Gateway capacity, security groups, or debugging network path issues that cause Lambda connection timeouts.
infrastructure-diagrams
Create professional Azure, hybrid, and on-premises infrastructure architecture diagrams using Python's Diagrams library. Use when asked to create architecture diagrams, infrastructure diagrams, cloud diagrams, network diagrams, system architecture visualizations, or data center layouts. Supports Azure (VMs, networking, storage, databases, containers, security), on-premises (servers, databases, networking equipment, monitoring), Kubernetes, and hybrid cloud scenarios. Outputs PNG, SVG, or PDF files.
infrastructure-cost
Analyze and reduce cloud infrastructure costs — right-size resources, eliminate waste, optimize reserved capacity. Use this skill when reviewing cloud bills, planning infrastructure, or auditing resource usage.
infrastructure-as-code
Define, deploy, and manage cloud infrastructure as code using tools like Terraform, Pulumi, CloudFormation, and CDK, ensuring consistency, repeatability, and version control.
devops-infrastructure
クラウドインフラ設計・IaC実装・監視設定・コンテナオーケストレーション。AWS、GCP、Azureのリソース構築、Terraform/Pulumi、Kubernetes、Docker、Prometheus/Grafana監視。「インフラ」「クラウド」「Terraform」「Kubernetes」「監視」「Docker」に関する質問で使用。
design-infrastructure
インフラ基盤構成設計エージェント - AWS/Azure/GCP/OpenShift向けのKubernetes・IaC構成を設計・生成。/design-infrastructure で呼び出し。
deployment-infrastructure
Kubernetes deployment and infrastructure patterns
cloud-infrastructure-network-engineer
Expert network engineer specializing in modern cloud networking, security architectures, and performance optimization. Masters multi-cloud connectivity, service mesh, zero-trust networking, SSL/TLS, global load balancing, and advanced troubleshooting. Handles CDN optimization, network automation, and compliance. Use PROACTIVELY for network design, connectivity issues, or performance optimization. Use when: the task directly matches network engineer responsibilities within plugin cloud-infrastructure. Do not use when: a more specific framework or task-focused skill is clearly a better match.
cloud-infrastructure-istio-traffic-management
Configure Istio traffic management including routing, load balancing, circuit breakers, and canary deployments. Use when implementing service mesh traffic policies, progressive delivery, or resilience patterns. Use when: the task directly matches istio traffic management responsibilities within plugin cloud-infrastructure. Do not use when: a more specific framework or task-focused skill is clearly a better match.
agent-automation-infrastructure
Current state of CI/CD automation infrastructure, pre-built Docker images, and performance optimization strategies. Use when dealing with slow builds, container timeouts, yarn install issues, or when you need to understand available pre-built images and automation tooling.
infrastructure-documenter
Expert guide for documenting infrastructure including architecture diagrams, runbooks, system documentation, and operational procedures. Use when creating technical documentation for systems and deployments.
abp-infrastructure-patterns
ABP Framework cross-cutting patterns including authorization, background jobs, distributed events, multi-tenancy, and module configuration. Use when: (1) defining permissions, (2) creating background jobs, (3) publishing/handling distributed events, (4) configuring modules.